cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1582
Views
0
Helpful
4
Replies

Packet-Tracer for l2l vpn

smetieh001
Level 1
Level 1

Can someone help with the currect packet-tracer command for l2l ipsec vpn

on ASA (a)

ciscoasa# packet-tracer input Outside tcp 10.10.1.2 12345 192.168.1.2 80

ASA (a)

Inside ip address - 192.168.1.2

Destination port 80

ASA (b)

Inside ip address - 10.10.1.2

Source port 12345

1 Accepted Solution

Accepted Solutions

Hi,

So if your "inside" host is 192.168.1.2 and the "outside" host is 10.10.1.2 then you could just the following

packet-tracer input inside tcp 192.168.1.2 12345 10.10.1.2 80

If the goal is just to test the VPN negotiation then the ports dont really matter but naturally the traffic tested with "packet-tracer" must be allowed by your "inside" interface ACL.  The main thing is that the source and destination address match the L2L VPN configurations (Crypto ACL)

Typically you would be using NAT0 for these local and remote networks so NAT should not be a problem testing this direction. I guess there might be rare situations where using the command in this direction would not be possible

- Jouni

View solution in original post

4 Replies 4

smetieh001
Level 1
Level 1

My question is that, can i use the above packet tracer command to confirm connectivity between two ends of a site-to-site vpn tunnel? Someone please respond...

Hi,

You wont be able to initiate the L2L VPN negotiation from the external interface since the ASA is expecting an encrypted/encapsulated packet.

I would suggest using the "inside" as the source IP address and matching the source/destination IP and port for that direction. Even if connections were only initiated from the remote site in the actual setup this would still be enough to initiate the L2L VPN negotiation.

- Jouni

Thanks jouni. Could you rewrite the above command using your suggestion, just to be clear. Thanks

Hi,

So if your "inside" host is 192.168.1.2 and the "outside" host is 10.10.1.2 then you could just the following

packet-tracer input inside tcp 192.168.1.2 12345 10.10.1.2 80

If the goal is just to test the VPN negotiation then the ports dont really matter but naturally the traffic tested with "packet-tracer" must be allowed by your "inside" interface ACL.  The main thing is that the source and destination address match the L2L VPN configurations (Crypto ACL)

Typically you would be using NAT0 for these local and remote networks so NAT should not be a problem testing this direction. I guess there might be rare situations where using the command in this direction would not be possible

- Jouni